3 # ====================================================================
4 # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # This module implements support for Intel AES-NI extension. In
11 # OpenSSL context it's used with Intel engine, but can also be used as
12 # drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
15 $PREFIX="aesni"; # if $PREFIX is set to "AES", the script
16 # generates drop-in replacement for
17 # crypto/aes/asm/aes-x86_64.pl:-)
21 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
23 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
25 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
26 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
27 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
28 die "can't locate x86_64-xlate.pl";
30 open STDOUT,"| $^X $xlate $flavour $output";
32 $movkey = $PREFIX eq "aesni" ? "movaps" : "movups";
33 @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
34 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
38 $rounds="%eax"; # input to and changed by aesni_[en|de]cryptN !!!
39 # this is natural Unix argument order for public $PREFIX_[ecb|cbc]_encrypt ...
43 $key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
44 $ivp="%r8"; # cbc, ctr
46 $rnds_="%r10d"; # backup copy for $rounds
47 $key_="%r11"; # backup copy for $key
49 # %xmm register layout
50 $inout0="%xmm0"; $inout1="%xmm1";
51 $inout2="%xmm2"; $inout3="%xmm3";
52 $rndkey0="%xmm4"; $rndkey1="%xmm5";
54 $iv="%xmm6"; $in0="%xmm7"; # used in CBC decrypt, CTR
55 $in1="%xmm8"; $in2="%xmm9";
57 # Inline version of internal aesni_[en|de]crypt1.
59 # Why folded loop? Because aes[enc|dec] is slow enough to accommodate
60 # cycles which take care of loop variables...
63 my ($p,$key,$rounds)=@_;
66 $movkey ($key),$rndkey0
67 $movkey 16($key),$rndkey1
71 aes${p} $rndkey1,$inout0
73 $movkey ($key),$rndkey1
75 jnz .Loop_${p}1_$sn # loop body is 16 bytes
76 aes${p}last $rndkey1,$inout0
79 # void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
81 { my ($inp,$out,$key) = @_4args;
84 .globl ${PREFIX}_encrypt
85 .type ${PREFIX}_encrypt,\@abi-omnipotent
88 movups ($inp),$inout0 # load input
89 mov 240($key),$rounds # pull $rounds
91 &aesni_generate1("enc",$key,$rounds);
93 movups $inout0,($out) # output
95 .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
97 .globl ${PREFIX}_decrypt
98 .type ${PREFIX}_decrypt,\@abi-omnipotent
101 movups ($inp),$inout0 # load input
102 mov 240($key),$rounds # pull $rounds
104 &aesni_generate1("dec",$key,$rounds);
106 movups $inout0,($out) # output
108 .size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
112 # _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
113 # factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
114 # latency is 6, it turned out that it can be scheduled only every
115 # *second* cycle. Thus 3x interleave is the one providing optimal
116 # utilization, i.e. when subroutine's throughput is virtually same as
117 # of non-interleaved subroutine [for number of input blocks up to 3].
118 # This is why it makes no sense to implement 2x subroutine. As soon
119 # as/if Intel improves throughput by making it possible to schedule
120 # the instructions in question *every* cycles I would have to
121 # implement 6x interleave and use it in loop...
122 sub aesni_generate3 {
124 # As already mentioned it takes in $key and $rounds, which are *not*
125 # preserved. $inout[0-2] is cipher/clear text...
127 .type _aesni_${dir}rypt3,\@abi-omnipotent
130 $movkey ($key),$rndkey0
132 $movkey 16($key),$rndkey1
134 pxor $rndkey0,$inout0
135 pxor $rndkey0,$inout1
136 pxor $rndkey0,$inout2
139 aes${dir} $rndkey1,$inout0
140 $movkey ($key),$rndkey0
141 aes${dir} $rndkey1,$inout1
143 aes${dir} $rndkey1,$inout2
144 aes${dir} $rndkey0,$inout0
145 $movkey 16($key),$rndkey1
146 aes${dir} $rndkey0,$inout1
148 aes${dir} $rndkey0,$inout2
151 aes${dir} $rndkey1,$inout0
152 $movkey ($key),$rndkey0
153 aes${dir} $rndkey1,$inout1
154 aes${dir} $rndkey1,$inout2
155 aes${dir}last $rndkey0,$inout0
156 aes${dir}last $rndkey0,$inout1
157 aes${dir}last $rndkey0,$inout2
159 .size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3
162 # 4x interleave is implemented to improve small block performance,
163 # most notably [and naturally] 4 block by ~30%. One can argue that one
164 # should have implemented 5x as well, but improvement would be <20%,
165 # so it's not worth it...
166 sub aesni_generate4 {
168 # As already mentioned it takes in $key and $rounds, which are *not*
169 # preserved. $inout[0-3] is cipher/clear text...
171 .type _aesni_${dir}rypt4,\@abi-omnipotent
174 $movkey ($key),$rndkey0
176 $movkey 16($key),$rndkey1
178 pxor $rndkey0,$inout0
179 pxor $rndkey0,$inout1
180 pxor $rndkey0,$inout2
181 pxor $rndkey0,$inout3
184 aes${dir} $rndkey1,$inout0
185 $movkey ($key),$rndkey0
186 aes${dir} $rndkey1,$inout1
188 aes${dir} $rndkey1,$inout2
189 aes${dir} $rndkey1,$inout3
190 aes${dir} $rndkey0,$inout0
191 $movkey 16($key),$rndkey1
192 aes${dir} $rndkey0,$inout1
194 aes${dir} $rndkey0,$inout2
195 aes${dir} $rndkey0,$inout3
198 aes${dir} $rndkey1,$inout0
199 $movkey ($key),$rndkey0
200 aes${dir} $rndkey1,$inout1
201 aes${dir} $rndkey1,$inout2
202 aes${dir} $rndkey1,$inout3
203 aes${dir}last $rndkey0,$inout0
204 aes${dir}last $rndkey0,$inout1
205 aes${dir}last $rndkey0,$inout2
206 aes${dir}last $rndkey0,$inout3
208 .size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
211 &aesni_generate3("enc") if ($PREFIX eq "aesni");
212 &aesni_generate3("dec");
213 &aesni_generate4("enc") if ($PREFIX eq "aesni");
214 &aesni_generate4("dec");
216 if ($PREFIX eq "aesni") {
217 ########################################################################
218 # void aesni_ecb_encrypt (const void *in, void *out,
219 # size_t length, const AES_KEY *key,
222 .globl aesni_ecb_encrypt
223 .type aesni_ecb_encrypt,\@function,5
226 cmp \$16,$len # check length
229 mov 240($key),$rounds # pull $rounds
231 mov $key,$key_ # backup $key
232 test %r8d,%r8d # 5th argument
233 mov $rounds,$rnds_ # backup $rounds
235 #--------------------------- ECB ENCRYPT ------------------------------#
242 movups ($inp),$inout0
243 movups 0x10($inp),$inout1
244 movups 0x20($inp),$inout2
249 movups $inout0,-0x30($out)
250 mov $rnds_,$rounds # restore $rounds
251 movups $inout1,-0x20($out)
252 mov $key_,$key # restore $key
253 movups $inout2,-0x10($out)
261 movups ($inp),$inout0
263 movups 0x10($inp),$inout1
266 movups 0x20($inp),$inout2
268 movups 0x30($inp),$inout3
270 movups $inout0,($out)
271 movups $inout1,0x10($out)
272 movups $inout2,0x20($out)
273 movups $inout3,0x30($out)
278 &aesni_generate1("enc",$key,$rounds);
280 movups $inout0,($out)
285 movups $inout0,($out)
286 movups $inout1,0x10($out)
291 movups $inout0,($out)
292 movups $inout1,0x10($out)
293 movups $inout2,0x20($out)
295 \f#--------------------------- ECB DECRYPT ------------------------------#
304 movups ($inp),$inout0
305 movups 0x10($inp),$inout1
306 movups 0x20($inp),$inout2
311 movups $inout0,-0x30($out)
312 mov $rnds_,$rounds # restore $rounds
313 movups $inout1,-0x20($out)
314 mov $key_,$key # restore $key
315 movups $inout2,-0x10($out)
323 movups ($inp),$inout0
325 movups 0x10($inp),$inout1
328 movups 0x20($inp),$inout2
330 movups 0x30($inp),$inout3
332 movups $inout0,($out)
333 movups $inout1,0x10($out)
334 movups $inout2,0x20($out)
335 movups $inout3,0x30($out)
340 &aesni_generate1("dec",$key,$rounds);
342 movups $inout0,($out)
347 movups $inout0,($out)
348 movups $inout1,0x10($out)
353 movups $inout0,($out)
354 movups $inout1,0x10($out)
355 movups $inout2,0x20($out)
359 .size aesni_ecb_encrypt,.-aesni_ecb_encrypt
361 ######################################################################
362 # handles only complete blocks, operates on 32-bit counter and
363 # does not update *ivec! (see engine/eng_aesni.c for details)
365 # void aesni_ctr32_encrypt_blocks (const void *in, void *out,
366 # size_t blocks, const AES_KEY *key,
369 $bswap_mask="%xmm11";
372 .globl aesni_ctr32_encrypt_blocks
373 .type aesni_ctr32_encrypt_blocks,\@function,5
375 aesni_ctr32_encrypt_blocks:
377 $code.=<<___ if ($win64);
380 movaps %xmm7,0x10(%rsp)
381 movaps %xmm8,0x20(%rsp)
382 movaps %xmm9,0x30(%rsp)
383 movaps %xmm10,0x40(%rsp)
384 movaps %xmm11,0x50(%rsp)
389 movups ($ivp),$inout3
390 movaps .Lincrement(%rip),$increment
391 movaps .Lbswap_mask(%rip),$bswap_mask
393 pextrd \$3,$inout3,$rnds_ # pull 32-bit counter
394 pinsrd \$3,$rounds,$inout3 # wipe 32-bit counter
396 mov 240($key),$rounds # key->rounds
397 pxor $iv,$iv # vector of 3 32-bit counters
399 pinsrd \$0,$rnds_,$iv
401 pinsrd \$1,$rnds_,$iv
403 pinsrd \$2,$rnds_,$iv
406 pshufb $bswap_mask,$iv
415 pshufd \$`3<<6`,$iv,$inout0 # place counter to upper dword
416 pshufd \$`2<<6`,$iv,$inout1
417 pshufd \$`1<<6`,$iv,$inout2
419 movups 0x10($inp),$in1
420 movups 0x20($inp),$in2
421 por $inout3,$inout0 # merge counter-less ivec
424 pshufb $bswap_mask,$iv
432 pshufb $bswap_mask,$iv
434 movups $in1,0x10($out)
435 movups $in2,0x20($out)
445 pextrd \$1,$iv,$rnds_ # migh need last counter value
451 pshufd \$`3<<6`,$iv,$inout0
452 pshufd \$`2<<6`,$iv,$inout1
453 pshufd \$`1<<6`,$iv,$inout2
458 movups 0x10($inp),$in1
462 movups 0x20($inp),$in2
465 inc $rnds_ # compose last counter value
467 pinsrd \$3,$rnds_,$inout3
468 movups 0x30($inp),$iv
477 movups $in1,0x10($out)
478 movups $in2,0x20($out)
479 movups $iv,0x30($out)
485 &aesni_generate1("enc",$key,$rounds);
497 movups $in1,0x10($out)
507 movups $in1,0x10($out)
508 movups $in2,0x20($out)
513 $code.=<<___ if ($win64);
515 movaps 0x10(%rsp),%xmm7
516 movaps 0x20(%rsp),%xmm8
517 movaps 0x30(%rsp),%xmm9
518 movaps 0x40(%rsp),%xmm10
519 movaps 0x50(%rsp),%xmm11
525 .size aesni_ctr32_encrypt_blocks,.-aesni_ctr32_encrypt_blocks
529 ########################################################################
530 # void $PREFIX_cbc_encrypt (const void *inp, void *out,
531 # size_t length, const AES_KEY *key,
532 # unsigned char *ivp,const int enc);
533 $reserved = $win64?0x40:-0x18; # used in decrypt
535 .globl ${PREFIX}_cbc_encrypt
536 .type ${PREFIX}_cbc_encrypt,\@function,6
538 ${PREFIX}_cbc_encrypt:
539 test $len,$len # check length
542 mov 240($key),$rnds_ # pull $rounds
543 mov $key,$key_ # backup $key
544 test %r9d,%r9d # 6th argument
546 #--------------------------- CBC ENCRYPT ------------------------------#
547 movups ($ivp),$inout0 # load iv as initial state
555 movups ($inp),$inout1 # load input
559 &aesni_generate1("enc",$key,$rounds);
563 mov $rnds_,$rounds # restore $rounds
564 mov $key_,$key # restore $key
565 movups $inout0,-16($out) # store output
569 movups $inout0,($ivp)
573 mov $len,%rcx # zaps $key
574 xchg $inp,$out # $inp is %rsi and $out is %rdi now
575 .long 0x9066A4F3 # rep movsb
576 mov \$16,%ecx # zero tail
579 .long 0x9066AAF3 # rep stosb
580 lea -16(%rdi),%rdi # rewind $out by 1 block
581 mov $rnds_,$rounds # restore $rounds
582 mov %rdi,%rsi # $inp and $out are the same
583 mov $key_,$key # restore $key
584 xor $len,$len # len=16
585 jmp .Lcbc_enc_loop # one more spin
586 \f#--------------------------- CBC DECRYPT ------------------------------#
590 $code.=<<___ if ($win64);
593 movaps %xmm7,0x10(%rsp)
594 movaps %xmm8,0x20(%rsp)
595 movaps %xmm9,0x30(%rsp)
607 movups ($inp),$inout0
608 movups 0x10($inp),$inout1
609 movups 0x20($inp),$inout2
621 movups $inout0,-0x30($out)
622 mov $rnds_,$rounds # restore $rounds
623 movups $inout1,-0x20($out)
624 mov $key_,$key # restore $key
625 movups $inout2,-0x10($out)
633 movups ($inp),$inout0
637 movups 0x10($inp),$inout1
641 movups 0x20($inp),$inout2
645 movups 0x30($inp),$inout3
648 movups 0x30($inp),$iv
650 movups $inout0,($out)
652 movups $inout1,0x10($out)
654 movups $inout2,0x20($out)
655 movaps $inout3,$inout0
657 jmp .Lcbc_dec_tail_collected
661 &aesni_generate1("dec",$key,$rounds);
665 jmp .Lcbc_dec_tail_collected
671 movups $inout0,($out)
673 movaps $inout1,$inout0
675 jmp .Lcbc_dec_tail_collected
681 movups $inout0,($out)
683 movups $inout1,0x10($out)
685 movaps $inout2,$inout0
687 jmp .Lcbc_dec_tail_collected
689 .Lcbc_dec_tail_collected:
692 jnz .Lcbc_dec_tail_partial
693 movups $inout0,($out)
695 .Lcbc_dec_tail_partial:
696 movaps $inout0,$reserved(%rsp)
699 lea $reserved(%rsp),%rsi
700 .long 0x9066A4F3 # rep movsb
704 $code.=<<___ if ($win64);
706 movaps 0x10(%rsp),%xmm7
707 movaps 0x20(%rsp),%xmm8
708 movaps 0x30(%rsp),%xmm9
714 .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
717 # int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
718 # int bits, AES_KEY *key)
719 { my ($inp,$bits,$key) = @_4args;
723 .globl ${PREFIX}_set_decrypt_key
724 .type ${PREFIX}_set_decrypt_key,\@abi-omnipotent
726 ${PREFIX}_set_decrypt_key:
727 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
728 call _aesni_set_encrypt_key
729 shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
732 lea 16($key,$bits),$inp # points at the end of key schedule
734 $movkey ($key),%xmm0 # just swap
742 $movkey ($key),%xmm0 # swap and inverse
749 $movkey %xmm0,16($inp)
750 $movkey %xmm1,-16($key)
753 $movkey ($key),%xmm0 # inverse middle
759 .LSEH_end_set_decrypt_key:
760 .size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
763 # This is based on submission by
765 # Huang Ying <ying.huang@intel.com>
766 # Vinodh Gopal <vinodh.gopal@intel.com>
769 # Agressively optimized in respect to aeskeygenassist's critical path
770 # and is contained in %xmm0-5 to meet Win64 ABI requirement.
773 .globl ${PREFIX}_set_encrypt_key
774 .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
776 ${PREFIX}_set_encrypt_key:
777 _aesni_set_encrypt_key:
778 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
785 movups ($inp),%xmm0 # pull first 128 bits of *userKey
786 pxor %xmm4,%xmm4 # low dword of xmm4 is assumed 0
796 mov \$9,$bits # 10 rounds for 128-bit key
797 $movkey %xmm0,($key) # round 0
798 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1
799 call .Lkey_expansion_128_cold
800 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 2
801 call .Lkey_expansion_128
802 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 3
803 call .Lkey_expansion_128
804 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 4
805 call .Lkey_expansion_128
806 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 5
807 call .Lkey_expansion_128
808 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 6
809 call .Lkey_expansion_128
810 aeskeygenassist \$0x40,%xmm0,%xmm1 # round 7
811 call .Lkey_expansion_128
812 aeskeygenassist \$0x80,%xmm0,%xmm1 # round 8
813 call .Lkey_expansion_128
814 aeskeygenassist \$0x1b,%xmm0,%xmm1 # round 9
815 call .Lkey_expansion_128
816 aeskeygenassist \$0x36,%xmm0,%xmm1 # round 10
817 call .Lkey_expansion_128
819 mov $bits,80(%rax) # 240(%rdx)
825 movq 16($inp),%xmm2 # remaining 1/3 of *userKey
826 mov \$11,$bits # 12 rounds for 192
827 $movkey %xmm0,($key) # round 0
828 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2
829 call .Lkey_expansion_192a_cold
830 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 2,3
831 call .Lkey_expansion_192b
832 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 4,5
833 call .Lkey_expansion_192a
834 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 5,6
835 call .Lkey_expansion_192b
836 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 7,8
837 call .Lkey_expansion_192a
838 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 8,9
839 call .Lkey_expansion_192b
840 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 10,11
841 call .Lkey_expansion_192a
842 aeskeygenassist \$0x80,%xmm2,%xmm1 # round 11,12
843 call .Lkey_expansion_192b
845 mov $bits,48(%rax) # 240(%rdx)
851 movups 16($inp),%xmm2 # remaning half of *userKey
852 mov \$13,$bits # 14 rounds for 256
854 $movkey %xmm0,($key) # round 0
855 $movkey %xmm2,16($key) # round 1
856 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2
857 call .Lkey_expansion_256a_cold
858 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 3
859 call .Lkey_expansion_256b
860 aeskeygenassist \$0x2,%xmm2,%xmm1 # round 4
861 call .Lkey_expansion_256a
862 aeskeygenassist \$0x2,%xmm0,%xmm1 # round 5
863 call .Lkey_expansion_256b
864 aeskeygenassist \$0x4,%xmm2,%xmm1 # round 6
865 call .Lkey_expansion_256a
866 aeskeygenassist \$0x4,%xmm0,%xmm1 # round 7
867 call .Lkey_expansion_256b
868 aeskeygenassist \$0x8,%xmm2,%xmm1 # round 8
869 call .Lkey_expansion_256a
870 aeskeygenassist \$0x8,%xmm0,%xmm1 # round 9
871 call .Lkey_expansion_256b
872 aeskeygenassist \$0x10,%xmm2,%xmm1 # round 10
873 call .Lkey_expansion_256a
874 aeskeygenassist \$0x10,%xmm0,%xmm1 # round 11
875 call .Lkey_expansion_256b
876 aeskeygenassist \$0x20,%xmm2,%xmm1 # round 12
877 call .Lkey_expansion_256a
878 aeskeygenassist \$0x20,%xmm0,%xmm1 # round 13
879 call .Lkey_expansion_256b
880 aeskeygenassist \$0x40,%xmm2,%xmm1 # round 14
881 call .Lkey_expansion_256a
883 mov $bits,16(%rax) # 240(%rdx)
893 .LSEH_end_set_encrypt_key:
899 .Lkey_expansion_128_cold:
900 shufps \$0b00010000,%xmm0,%xmm4
902 shufps \$0b10001100,%xmm0,%xmm4
904 pshufd \$0b11111111,%xmm1,%xmm1 # critical path
909 .Lkey_expansion_192a:
912 .Lkey_expansion_192a_cold:
914 .Lkey_expansion_192b_warm:
915 shufps \$0b00010000,%xmm0,%xmm4
918 shufps \$0b10001100,%xmm0,%xmm4
921 pshufd \$0b01010101,%xmm1,%xmm1 # critical path
924 pshufd \$0b11111111,%xmm0,%xmm3
929 .Lkey_expansion_192b:
931 shufps \$0b01000100,%xmm0,%xmm5
933 shufps \$0b01001110,%xmm2,%xmm3
934 $movkey %xmm3,16(%rax)
936 jmp .Lkey_expansion_192b_warm
939 .Lkey_expansion_256a:
942 .Lkey_expansion_256a_cold:
943 shufps \$0b00010000,%xmm0,%xmm4
945 shufps \$0b10001100,%xmm0,%xmm4
947 pshufd \$0b11111111,%xmm1,%xmm1 # critical path
952 .Lkey_expansion_256b:
956 shufps \$0b00010000,%xmm2,%xmm4
958 shufps \$0b10001100,%xmm2,%xmm4
960 pshufd \$0b10101010,%xmm1,%xmm1 # critical path
963 .size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
970 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
973 .asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
977 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
978 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
986 .extern __imp_RtlVirtualUnwind
988 $code.=<<___ if ($PREFIX eq "aesni");
989 .type ecb_se_handler,\@abi-omnipotent
1003 mov 152($context),%rax # pull context->Rsp
1006 mov %rsi,168($context) # restore context->Rsi
1007 mov %rdi,176($context) # restore context->Rdi
1009 jmp .Lcommon_seh_exit
1010 .size ecb_se_handler,.-ecb_se_handler
1012 .type ctr32_se_handler,\@abi-omnipotent
1026 mov 120($context),%rax # pull context->Rax
1027 mov 248($context),%rbx # pull context->Rip
1029 lea .Lctr32_body(%rip),%r10
1030 cmp %r10,%rbx # context->Rip<"prologue" label
1031 jb .Lin_ctr32_prologue
1033 mov 152($context),%rax # pull context->Rsp
1035 lea .Lctr32_ret(%rip),%r10
1037 jae .Lin_ctr32_prologue
1039 lea 0(%rax),%rsi # top of stack
1040 lea 512($context),%rdi # &context.Xmm6
1041 mov \$12,%ecx # 6*sizeof(%xmm0)/sizeof(%rax)
1042 .long 0xa548f3fc # cld; rep movsq
1043 lea 0x68(%rax),%rax # adjust stack pointer
1045 .Lin_ctr32_prologue:
1048 mov %rax,152($context) # restore context->Rsp
1049 mov %rsi,168($context) # restore context->Rsi
1050 mov %rdi,176($context) # restore context->Rdi
1052 jmp .Lcommon_seh_exit
1053 .size ctr32_se_handler,.-ctr32_se_handler
1056 .type cbc_se_handler,\@abi-omnipotent
1070 mov 152($context),%rax # pull context->Rsp
1071 mov 248($context),%rbx # pull context->Rip
1073 lea .Lcbc_decrypt(%rip),%r10
1074 cmp %r10,%rbx # context->Rip<"prologue" label
1075 jb .Lin_cbc_prologue
1077 lea .Lcbc_decrypt_body(%rip),%r10
1078 cmp %r10,%rbx # context->Rip<cbc_decrypt_body
1079 jb .Lrestore_cbc_rax
1081 lea .Lcbc_ret(%rip),%r10
1082 cmp %r10,%rbx # context->Rip>="epilogue" label
1083 jae .Lin_cbc_prologue
1085 lea 0(%rax),%rsi # top of stack
1086 lea 512($context),%rdi # &context.Xmm6
1087 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
1088 .long 0xa548f3fc # cld; rep movsq
1089 lea 0x58(%rax),%rax # adjust stack pointer
1090 jmp .Lin_cbc_prologue
1093 mov 120($context),%rax
1097 mov %rax,152($context) # restore context->Rsp
1098 mov %rsi,168($context) # restore context->Rsi
1099 mov %rdi,176($context) # restore context->Rdi
1103 mov 40($disp),%rdi # disp->ContextRecord
1104 mov $context,%rsi # context
1105 mov \$154,%ecx # sizeof(CONTEXT)
1106 .long 0xa548f3fc # cld; rep movsq
1109 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1110 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1111 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1112 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1113 mov 40(%rsi),%r10 # disp->ContextRecord
1114 lea 56(%rsi),%r11 # &disp->HandlerData
1115 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1116 mov %r10,32(%rsp) # arg5
1117 mov %r11,40(%rsp) # arg6
1118 mov %r12,48(%rsp) # arg7
1119 mov %rcx,56(%rsp) # arg8, (NULL)
1120 call *__imp_RtlVirtualUnwind(%rip)
1122 mov \$1,%eax # ExceptionContinueSearch
1134 .size cbc_se_handler,.-cbc_se_handler
1139 $code.=<<___ if ($PREFIX eq "aesni");
1140 .rva .LSEH_begin_aesni_ecb_encrypt
1141 .rva .LSEH_end_aesni_ecb_encrypt
1144 .rva .LSEH_begin_aesni_ctr32_encrypt_blocks
1145 .rva .LSEH_end_aesni_ctr32_encrypt_blocks
1146 .rva .LSEH_info_ctr32
1149 .rva .LSEH_begin_${PREFIX}_cbc_encrypt
1150 .rva .LSEH_end_${PREFIX}_cbc_encrypt
1153 .rva ${PREFIX}_set_decrypt_key
1154 .rva .LSEH_end_set_decrypt_key
1157 .rva ${PREFIX}_set_encrypt_key
1158 .rva .LSEH_end_set_encrypt_key
1163 $code.=<<___ if ($PREFIX eq "aesni");
1169 .rva ctr32_se_handler
1176 .byte 0x01,0x04,0x01,0x00
1177 .byte 0x04,0x02,0x00,0x00
1182 local *opcode=shift;
1185 if ($dst>=8 || $src>=8) {
1187 $rex|=0x04 if($dst>=8);
1188 $rex|=0x01 if($src>=8);
1197 if ($line=~/(aeskeygenassist)\s+\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
1198 rex(\@opcode,$4,$3);
1199 push @opcode,0x0f,0x3a,0xdf;
1200 push @opcode,0xc0|($3&7)|(($4&7)<<3); # ModR/M
1202 push @opcode,$c=~/^0/?oct($c):$c;
1203 return ".byte\t".join(',',@opcode);
1205 elsif ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) {
1208 "aesenc" => 0xdc, "aesenclast" => 0xdd,
1209 "aesdec" => 0xde, "aesdeclast" => 0xdf
1211 return undef if (!defined($opcodelet{$1}));
1212 rex(\@opcode,$3,$2);
1213 push @opcode,0x0f,0x38,$opcodelet{$1};
1214 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
1215 return ".byte\t".join(',',@opcode);
1220 $code =~ s/\`([^\`]*)\`/eval($1)/gem;
1221 $code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;